Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Aplore.A@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 08 Apr 2002 03:00:00
Description created 08 Apr 2002 06:58:00
Description updated 04 Sep 2002 03:45:00
Malware type WORM
Alias W32/Psec.A
W32.Aphex
I-Worm.Aphex
WORM_PSECURE.A
Spreading mechanism EMAIL
IRC
OTHER
UNKNOWN
Summary None

W32/Aplore.A@mm

Spreading

When first executed, the worm will copy itself to the Windows System folder, and it will here also create a second copy of itself called EXPLORER.EXE. This should not be confused with the legitimate EXPLORER.EXE which usually is to be found in the Windows folder.

This fake Explorer copy is also pointed to from the Registry:


HKLM\Software\Microsoft\windows\CurrentVersion\Run EXPLORER = %SYSDIR%\EXPLORER.EXE

After this it creates files INDEX.HTML, EMAIL.VBS and APHEX.JPG on the System directory.

The file EMAIL.VBS is immediately spawned in WSCRIPT to mail the worm out to everyone in the address book.

The worm now does something strange: It sets up a web server. The file INDEX.HTML previously mentioned is a web page which is served to people connecting to the infected machine. This web page looks something like this:


(Image not available)

People thus connecting to an infected machine will be prompted to download and run the worm executable.

Now why should people do this? Well, as it turns out, the worm is not finished. It connects to the Internet Relay Chat network and advertises the infected machine as a download point for pornographic material.

Such messages can look like this:


[catlee643] FREE PORN: http://free:porn@infected ip address:8180
[chrissy223] FREE PORN: http://free:porn@infected ip address:8180

This kind of advertising is also done via AOL Instant Messenger.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14